PDF malware analysis — malicious · e328ef156e970154

MALICIOUS

PDF

148.0 KB Created: 2020-08-11 21:39:15 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: d127a9979b8e544923d66651085320c7 SHA-1: b63fdcba2db96b4b9a8d9008aa33ac0577a1b022 SHA-256: e328ef156e97015482e0410ac2bcc0111f94a915dbb541ff2ba64159d262aa56

92 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link to a known malicious redirector, ttraff.cc, which is flagged by heuristics. The ML classifier also strongly indicated maliciousness. The embedded URL is the primary indicator of malicious intent, likely leading to a further stage of attack.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 3

PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK

PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://ttraff.cc/pify?keyword=overweight+definition+pdf
- http://files.ghpcounselingservices.com/uploads/1/3/0/7/130774979/jepojalojovosetejigu.pdf
- http://files.swanspirit-perthwa.com/uploads/1/3/1/6/131636775/mewunigigu-nanuk-bolow-tizotutumomo.pdf
- http://jesazogo.walkerctr.org/uploads/1/3/0/9/130969204/9303231.pdf
- https://cdn.shopify.com/s/files/1/0430/5040/1943/files/botulinum_neurotoxin_injection_manual.pdf
- https://cdn.shopify.com/s/files/1/0429/2929/1427/files/brain_fog_fix_mike_dow.pdf
- https://cdn.shopify.com/s/files/1/0434/4997/4946/files/royksopp_remind_me.pdf
- https://cdn.shopify.com/s/files/1/0427/7442/9852/files/pirazabiwe.pdf
- https://cdn.shopify.com/s/files/1/0435/1324/9944/files/list_of_common_countable_nouns.pdf
- https://cdn.shopify.com/s/files/1/0437/7713/0647/files/homelite_2700_psi_pressure_washer_manual.pdf
- https://cdn.shopify.com/s/files/1/0432/1109/6221/files/25814409499.pdf
- https://cdn.shopify.com/s/files/1/0433/0687/7080/files/5676577217.pdf
- https://cdn.shopify.com/s/files/1/0439/3972/5470/files/tecnica_de_anestesia_peridural.pdf
- https://cdn.shopify.com/s/files/1/0431/7229/8918/files/voxukozinowosa.pdf
- https://cdn.shopify.com/s/files/1/0431/7885/2503/files/honeywell_pro_4000_installation_manual.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001e771.bin` `4eaa81956d9f5e2e898bc75c708d0bc3996b4b4501836ffed0586de5bbc24524`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1E771	5064 bytes
`font_01_sfnt_off0001f8ba.bin` `658331bcfab46722c4dc072b9909be9ec1171dbf9bfaf8c838dc764734ae648e`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1F8BA	8228 bytes
`font_02_sfnt_off00020e9e.bin` `0356c19a2e833b3165b37dcbdbb67501fc9e99053285c5d3b5a70a6c86381551`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x20E9E	17000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.